Excessive (?) logging in /var/log/system.log (10.9.2)

stevemaser · March 31, 2014

So, we are evaluating "System Center 2012 Endpoint Protection" -- which is Microsoft's purchase/rebranding of ESET.

We are finding that having the "Real-Time File System Protection" enabled -- even with Tools --> Logs -- Computer Scan Log Records Default Filter having all checkboxes disabled that the "scep_daemon" is logging an excessive amount of data when users are running Mail.app, Safari, Calendar, etc...

(example):

scep_daemon[310]: summ[01360a00]: vdb=17694, agent=fac, name="/private/var/folders/n1/zbkcr0gx585dmtnqh13gnpv8m7xf9l/T/com.apple.mail/TemporaryItems/(A Document Being Saved By Mail 2)/BackingStoreUpdateJournal", virus="", action="", info="Event occurred on a newly created file.", avstatus="not scanned", hop="accepted"

However, I'm not here to ask about SCEP.

But, noticing the above, we got a trial version of ESET 6.0.9.1 -- and we are seeing the same excessive logging (this time with esets_daemon) in system.log for the same actions (so it's not specifically an SCEP problem...)

is there a way to disable this excessive logging to system.log with the RTFSP enabled? This excessive logging generates a ton of noise when we are looking into system.log for other things.

Thanks!

stevemaser · April 2, 2014

No response to this from anybody? Is this just expected behavior with ESET?

SweX · April 2, 2014

Is this just expected behavior with ESET?

No it's not. Personally, I didn't respond since I don't know the answer. And I don't know why no one official have responded yet, but it happens it goes days sometimes but as I said I don't know why no one have responded.

But I agree someone should have responded by now.

Arakasi · April 2, 2014

I read over this as well and i was not sure what to answer with.

First off, i didnt know Microsoft made SCEP with eset definitions, is it using their modules as well ? anti phishing, web control etc ?

I must have missed the ESET press release on that one. Maybe a Mod will answer this question too.

Second, the only closely related issue i have heard of is the environment variable eset_daemon causing several issues due to the index, or data having a few thousand null characers or spaces.

Check the environment variables for scep_daemon on one of the clients and see if exists and what the data or value is.

The fastest way to receive support in time sensitive cases is to contact ESET by phone.

However, if you stick around, i am confident staff will address your concerns.

They may be testing through a vm together, or researching the matter at hand before responding or replying here with steps or resolution to your problem.

Thanks and sorry for the delay Steve.

stevemaser · April 3, 2014

Just to confirm: This is not an SCEP issue. This also happens with ESET 6.0:

Here's an example of just one minute of using my mac as normal and what gets logged (if I grep "esets_daemon"...)

Apr 3 08:50:08 m-c02hw55bdrvg.local esets_daemon[275]: summ[01130700]: vdb=17707, agent=fac, name="/private/var/folders/n1/zbkcr0gx585dmtnqh13gnpv8m7xf9l/C/com.apple.mail/mds/mdsDirectory.db_", virus="", action="", info="Event occurred on a newly created file.", avstatus="not scanned", hop="accepted"

Apr 3 08:50:11 m-c02hw55bdrvg.local esets_daemon[275]: summ[01130c00]: vdb=17707, agent=fac, name="/Users/maser/Library/Caches/.dat023f.001", virus="", action="", info="Event occurred on a newly created file.", avstatus="not scanned", hop="accepted"

Apr 3 08:50:17 m-c02hw55bdrvg.local esets_daemon[275]: summ[01130800]: vdb=17707, agent=fac, name="/Users/maser/Library/Preferences/com.apple.AddressBook.plist.gS4qOzE", virus="", action="", info="Event occurred on a newly created file.", avstatus="not scanned", hop="accepted"

Apr 3 08:50:34 m-c02hw55bdrvg.local esets_daemon[275]: summ[01130600]: vdb=17707, agent=fac, name="/private/var/folders/n1/zbkcr0gx585dmtnqh13gnpv8m7xf9l/T/com.apple.mail/TemporaryItems/(A Document Being Saved By Mail)/Mail Attachment.ics", virus="", action="", info="Event occurred on a newly created file.", avstatus="not scanned", hop="accepted"

Apr 3 08:50:34 m-c02hw55bdrvg.local esets_daemon[275]: summ[01130500]: vdb=17707, agent=fac, name="/private/var/folders/n1/zbkcr0gx585dmtnqh13gnpv8m7xf9l/T/com.apple.mail/TemporaryItems/(A Document Being Saved By Mail)/invite.ics", virus="", action="", info="Event occurred on a newly created file.", avstatus="not scanned", hop="accepted"

Apr 3 08:50:34 m-c02hw55bdrvg.local esets_daemon[275]: summ[01130700]: vdb=17707, agent=fac, name="/private/var/folders/n1/zbkcr0gx585dmtnqh13gnpv8m7xf9l/T/com.apple.mail/TemporaryItems/(A Document Being Saved By Mail)/4697752104 (18 seconds) Voice Mail.mp3", virus="", action="", info="Event occurred on a newly created file.", avstatus="not scanned", hop="accepted"

Apr 3 08:50:39 m-c02hw55bdrvg.local esets_daemon[275]: summ[01130700]: vdb=17707, agent=fac, name="/Users/maser/Library/Containers/com.apple.mail/Data/Library/Preferences/com.apple.mail.plist.npeH6kP", virus="", action="", info="Event occurred on a newly created file.", avstatus="not scanned", hop="accepted"

Apr 3 08:50:47 m-c02hw55bdrvg.local esets_daemon[275]: summ[01130c00]: vdb=17707, agent=fac, name="/private/var/folders/n1/zbkcr0gx585dmtnqh13gnpv8m7xf9l/T/com.apple.mail/TemporaryItems/(A Document Being Saved By Mail)/Senior Picture Release_04012014144714.pdf", virus="", action="", info="Event occurred on a newly created file.", avstatus="not scanned", hop="accepted"

Apr 3 08:50:47 m-c02hw55bdrvg.local esets_daemon[275]: summ[01130600]: vdb=17707, agent=fac, name="/private/var/folders/n1/zbkcr0gx585dmtnqh13gnpv8m7xf9l/T/com.apple.mail/TemporaryItems/(A Document Being Saved By Mail)/Senior Picture Office Flyer_04012014144735.pdf", virus="", action="", info="Event occurred on a newly created file.", avstatus="not scanned", hop="accepted"

Apr 3 08:50:47 m-c02hw55bdrvg.local esets_daemon[275]: summ[01130800]: vdb=17707, agent=fac, name="/private/var/folders/n1/zbkcr0gx585dmtnqh13gnpv8m7xf9l/T/com.apple.mail/TemporaryItems/(A Document Being Saved By Mail)/system.log", virus="", action="", info="Event occurred on a newly created file.", avstatus="not scanned", hop="accepted"

Apr 3 08:50:53 m-c02hw55bdrvg.local esets_daemon[275]: summ[01130600]: vdb=17707, agent=fac, name="/private/var/folders/n1/zbkcr0gx585dmtnqh13gnpv8m7xf9l/T/com.apple.mail/TemporaryItems/(A Document Being Saved By Mail)/Senior Picture Release_04012014144714.pdf", virus="", action="", info="Event occurred on a newly created file.", avstatus="not scanned", hop="accepted"

Apr 3 08:50:53 m-c02hw55bdrvg.local esets_daemon[275]: summ[01130300]: vdb=17707, agent=fac, name="/private/var/folders/n1/zbkcr0gx585dmtnqh13gnpv8m7xf9l/T/com.apple.mail/TemporaryItems/(A Document Being Saved By Mail)/Senior Picture Office Flyer_04012014144735.pdf", virus="", action="", info="Event occurred on a newly created file.", avstatus="not scanned", hop="accepted"

Apr 3 08:50:53 m-c02hw55bdrvg.local esets_daemon[275]: summ[01130b00]: vdb=17707, agent=fac, name="/private/var/folders/n1/zbkcr0gx585dmtnqh13gnpv8m7xf9l/T/com.apple.mail/TemporaryItems/(A Document Being Saved By Mail)/DETAILS.doc", virus="", action="", info="Event occurred on a newly created file.", avstatus="not scanned", hop="accepted"

Apr 3 08:50:57 m-c02hw55bdrvg.local esets_daemon[275]: summ[01130800]: vdb=17707, agent=fac, name="/Users/maser/Library/Mail/V2/MailData/BackingStoreUpdateJournal", virus="", action="", info="Event occurred on a newly created file.", avstatus="not scanned", hop="accepted"

A

There is a *lot* of this kind of logging...

Edited April 3, 2014 by stevemaser

dixon1dw · April 9, 2014

Any updates on this from ESET support? Really looking to hear a response from ESET regarding this issue.

Thank You

stevemaser · April 14, 2014

It's been another week (actually over two weeks since the initial post) -- and nothing?

I have to say -- if this is how users are supposed to get support for the product -- it's underwhelming and not very confidence-enducing...

Marcos · April 15, 2014

Please contact Customer care who should request you to run a special script to collect all necessary information that will be subsequently passed to engineers for analysis.

stevemaser · April 15, 2014

OK. I'll try that route... Thanks.

JamesR · May 2, 2014

Hello,

In some testing I and another did today, we beleive we may have found the solution you are looking for. Can you execut the 2 following commands from a terminal and then rebooting? As you are using the "Microsoft's purchase/rebranding of ESET" you may need to locate the "esets_set" command and change the file path to reflect the path to your "esets_set". Please inform us if this works to filter all the esets entries in your system.log.

sudo /Applications/ESET\ Cyber\ Security.app/Contents/MacOS/esets_set --section global --set syslog_class=none

sudo /Applications/ESET\ Cyber\ Security.app/Contents/MacOS/esets_set --section global --set syslog_class

If for some reason the commands are giving syntax errors, please let me know the following information:

- The Mac OS X version

- Which ESET CyberSecurity product you are using (CyberSecurity or CyberSecurity Pro)

- The version number for your CyberSecurity product (5 or 6).

We may need to adjust the folder path depending on your installed ESET product.

Again, please reply to this thread to let us know if this resolves the issue.

AlexJ · May 5, 2014

After further testing we found that we needed to use syslog_facility=none not syslog_class=none to disable all ESET logging to the system.log file. Please ensure the previous syslog_class option is commented out or removed from the esets.cfg file. You can do this by running the following command:

sudo /Applications/ESET\ Cyber\ Security.app/Contents/MacOS/esets_set --section global --set syslog_class

After that please run the command below to add syslog_facility=none to the global section of the esets.cfg file:

sudo /Applications/ESET\ Cyber\ Security.app/Contents/MacOS/esets_set --section global --set syslog_facility=none

Once completed restart your computer and check to ensure no more ESET log entries are showing up in the system.log file.

Please submit replies to the following thread so we can consolidate https://forum.eset.com/topic/2324-how-to-disable-systemlog-logging/

Sign In

Excessive (?) logging in /var/log/system.log (10.9.2)

Recommended Posts

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Link to comment

Share on other sites

Recently Browsing 0 members

Quick search

FAQ

Topics